Wednesday, 30 December 2009

So finally, Gonzalez, the ‘mastermind’ behind the targeted Heartland cyber-attack SQL injection attacks that yielded around 150 million payment card details is being sentenced to at least 17 years in a US prison. To put this time in perspective, Gonzalez will serve about four seconds for every record stolen. His co-conspirators, believed to be in Russia, have yet to be apprehended, making this sentencing a hollow victory for the US justice system.

The Department of Justice Assistant Attorney General Breuer said that they “… will not allow computer hackers to rob consumers of their privacy and erode the public's confidence in the security of the marketplace,” adding, “criminals like Albert Gonzalez who operate in the shadows will be caught, exposed and held to account. Indeed, with timely reporting of data breaches and high-tech investigations, even the most sophisticated hacking rings can be uncovered and dismantled, as our prosecutors and agents demonstrated in this case.”

The reality is that the hacking ring has not been broken, and Mr. Gonzalez’ conspirators are free to continue their illegal activities. The technological vulnerabilities that allowed the Heartland breach to occur are still prevalent in the global IT infrastructure. Verizon has reported that these vulnerabilities are the growth exploit for cyber-criminals.

It would seem that enterprises and others should realize that they have a high likelihood to be hacked, given the prevalence of the vulnerabilities, and should take immediate precautions. Knowing that these vulnerabilities are present gives these enterprises a responsibility and obligation to protect their customers from the Gonzalez’ of the world, especially knowing only a few will ever be caught.

Wednesday, 16 December 2009

The folks at Amazon have announced a demand and supply based pricing for their cloud resources whereby it becomes cheaper per hour to run your enterprise applications when demand is low. My take on this is broadly positive, as it is getting closer to the true cloud model of “pay per drink” where the price of the drink is dependent on how many other drinkers there are (and the size of the barrel). All of this, however, is completely orthogonal to whether the drink is toxic or not (or whether other drinkers are not spitting in the barrel themselves).

Regardless of the pricing model for computing power, there is absolutely NO correlation with the level of security provided.

When drawing from any shared pool we need to ensure that all drinkers only use special drinking-straws with filters built in like those at istraw. Such "virtual cloud straws" are simply filtering firewalls that only permit "clean and safe drink" to pass the lips of the drinker.

Now, a security drinking straw that also runs in the cloud, is flexible and can be powered on a "pay per filtering" model fits the vision of the cloud. How would it be to provide a virtualized database firewall that runs in the Cloud – filtering out unwanted database accesses and keeping your database from being "sucked dry" or "poisoned"?

Wednesday, 9 December 2009

Verizon has issued an addendum to its 2009 threat report that shows how damaging SQL injection attacks have become in a short period of time. According to the report, SQL injection were used in 19 percent of the cases and accounted for 79 percent of the breached records. We expect SQL injection to be the means of data access in 2010, accounting for as many as 90 percent of all breached records if proper controls are not put in place.

Their report is titled "Data Breaches Getting More Sophisticated", but the reality is that the SQL Injection attacks obeying the 80:20 rule are the result of really "dumb" application development compounded by lax security and missing defenses. The headline should really read "Data Defenses Must Get More Sophisticated".

We are dealing with a quickly evolving threat ecosystem, and companies today need to take measures that assume the hackers will enter the network through the very applications that they have invested in. What provisions do you have in place that will stop the identification and stealing of information? If you can’t answer that question quickly and clearly, you may be in for a difficult 2010.

Tuesday, 1 December 2009

The news that Guardium has been acquired by IBM has been followed with great interest by those of us in the database security industry, as you can expect. What makes this acquisition so interesting is its timing. In 2009, the general business community became well aware of what we in the data security industry have viewed as the common threat landscape for years – insiders, third parties, organized criminal gangs, SQL injection attacks, etc. A mixture of technological advancement and economic instability provided the perfect threat storm that was 2009. This, however, is more than a “we told you so,” moment.

With this acquisition, we see database activity and transaction monitoring becoming central to any organization’s security plan. Nick Selby has written a great perspective on why this acquisition marks a change in the overall security landscape and predicts increased quality, better -integrated components, and cross-enterprise security programs. (Note: Secerno is mentioned in the article). In the coming years, not having real-time knowledge of your database’s activities and the ability to block threats will seem antiquated – almost like a company not having a firewall. We welcome this next phase of the security industry – and it’s been a long time coming.